If your Internet business model is supported by contextual or other forms of content-based targeted advertising, the Northern District of California just handed down a decision that may affect the way you do (or define) “business.”
Another (Small) Victory on the Privacy Battlefield
Free Services Through Smart Advertising
As is common knowledge by this point, Google uses targeted advertising to power and fund its largely free services (e.g., Gmail, web search, YouTube, Picasa, apps on its Android phones). Instead of charging for those services, Google includes advertisements in its services to generate revenue. To serve ads that are more relevant to the user (and therefore more likely to be clicked, thereby generating more revenue), Google builds a user profile based on how each user interacts with its services. For example, a user who searches for new trucks may receive more ads for trucks, and a user who sends an email or watches a YouTube video about a ski trip may receive more ads about vacation properties in Tahoe. Prior to 2012, Google segregated this customer information by the services they used. Put another way, Google’s services didn’t ‘talk to each other’ in the advertising sense, and a user who searched the web for trucks would not be profiled for that behavior while using Gmail or YouTube. In 2012, Google improved the quality and accuracy of its advertising model by integrating its databases across all of its products and services. By merging this information, Google can profile its users by combining their information (including personally identifiable information, or “PII”) from its many services.
The Prize Fight: ECPA
While Plaintiffs asserted seven causes of action, the real fight centers around the Electronic Communications Privacy Act (“ECPA”). ECPA, a nearly thirty-year-old amendment to the Wiretap Act that was intended to bring it into the then-new digital age, prohibits the “interception” of electronic communications without user consent. Importantly, ECPA provides for statutory damages per interception that, in the modern world of the Internet, can easily result in potential damages in the millions (or billions) of dollars. Notably, providers of electronic communication services are exempt from the ECPA if the alleged ‘interception’ occurs “in the ordinary course of business.”
The Crucial Question: What’s Your Business?
Google argued the creation of user profiles and the serving of targeted ads was in its ‘ordinary course of business’ because what Google offers are ad-supported Internet services (i.e., Google serves ads in order to provide its services). In contrast, Plaintiffs argued for a narrower construction that would reserve ECPA’s “ordinary course of business” exception for situations where the interception was absolutely necessary to the electronic communication in question (i.e., Google does not need to serve an advertisement to transmit an email from point A to point B—it need only comply with certain email protocols such as POP, IMAP or SMTP). In the end, Google won. Judge Grewal ruled that ECPA’s “ordinary course of business” exception was not limited only to those actions “technically necessary to processing email” but also covered the broader ancillary aspects of Google’s Gmail business such as virus scanning, spam filtering, indexing, and most importantly, advertisements. Considering advertisements pay for the majority of Google’s services and products, Judge Grewal determined that the Plaintiffs’ could not artificially and narrowly define the “ordinary course of business” to exclude the challenged advertising practices.
This opinion stands in stark contrast to Judge Koh’s treatment of the same issue last month in a separate, but related, Google case pending in the same division of the same district court. In that case, Plaintiffs allege that Google violates ECPA by creating user profiles and collecting PII within its Gmail service. In re: Google Inc. Gmail Litigation, 13-MD-02430-LHK (N.D. Cal. Sept. 26, 2013). Google moved to dismiss on the two exceptions to ECPA—the users consented, and it was only ‘intercepting’ communications in the ordinary course of its business. Judge Koh denied Google’s motion and took a much narrower view of the ordinary course of business exception—essentially adding an additional requirement that the interception be essential to the communication, not simply used in the ordinary course of the company’s business. See 18 USC § 2510(5)(a)(ii) (exception is for device “being used by a provider of wire or electronic communication service in the ordinary course of its business”). Judge Koh’s order has now been appealed to the Ninth Circuit, and we will likely gain some further clarity when that decision is handed down.
For now, while the bounds of the ECPA exception are not completely resolved, this case is a win for defendants who provide communication services that are supported with revenue from targeted advertising. Indeed, the more a company relies on advertising to power its business model, the more strongly they will be able to argue that their advertising practices are “in the ordinary course of business” and thus exempt from the grip of the Electronic Communications Privacy Act.
Last Word: Standing
Judge Grewal’s order also provides a roadmap to Plaintiffs for how to assert “standing” in privacy cases. Federal courts require that a plaintiff suffer some form of legal injury or damage to sustain an action. Because privacy actions are often premised on negligible forms of damage (e.g., a browser cookie doesn’t cause harm to a computer, and advertising doesn’t really slow a computer down), defendants have been successful in getting cases dismissed from federal court because of lack of standing.
In any event, Judge Grewal has given Plaintiffs one last chance to file an amended complaint, and it will be interesting to see how Plaintiffs will attempt to plead around his view of the ECPA’s exceptions.